Domain 1 :Explain the importance of using appropriate cryptographic solution

Question 1

Public Key Infrastructure (PKI)

Answer 1

foundation of security comprising public and private keys, certificates, and key escrow mechanisms. Encryption, a cornerstone of information protection, comes in various forms, including full-disk, file, and database encryption, which are bolstered by tools such as Trusted Platform Modules (TPMs) and Hardware Security Modules (HSM

Question 2

Public key

Answer 2

The role of the public key is to encrypt data and validate digital signatures.

Question 3

What is the public key encryption standard?

Answer 3

To identify a public key, the format (also known as the Public-Key Cryptography Standards (PKCS) of the public key) is P7b and the file extension is .cer. The file serves as a form of digital “identity proof,” much like a physical certificate (such as an award or diploma).

Question 4

Private Key

Answer 4

The primary function of the private key is decryption.
Often stored in digital or hardware-based cryptographic devices, it’s shielded behind layers of security measures, such as strong passwords and biometric authentication

Question 5

Key escrow

Answer 5

Key escrow is a trusted third party responsible for securely storing copies of cryptographic keys

Question 6

Hardware Security Module (HSM)

Answer 6

is a specialized (has to be bought) hardware device designed to provide robust security measures for the management and protection of cryptographic keys, sensitive data, and cryptographic operations

Question 7

Encryption level

Answer 7

The encryption level relates to the robustness and intricacy of both the encryption algorithm and the cryptographic key employed to safeguard sensitive information.

Question 8

Full disk encryption

Answer 8

FDE is a robust security measure designed to protect the data stored on a computer’s hard drive or Solid-State Drive (SSD). It accomplishes this by encrypting the entire storage device, making it unreadable without the appropriate decryption key. One of the key components that can enhance the security of FDE is a Trusted Platform Module (TPM) chip where the keys can be stored

Question 9

File encryption

Answer 9

Each individual document, image, or spreadsheet becomes a treasure chest of encrypted secrets. Unauthorized access results in mere jumbles of characters, rendering stolen files unreadable and inconsequential.

Question 10

Volume encryption

Answer 10

BitLocker’s integration with the TPM introduces a robust layer of security, enhancing the process of volume-level encryption. By utilizing the TPM chip, BitLocker ensures the integrity of a system’s boot process and authentication mechanisms - Volume encryption offers you the choice to encrypt different volumes

Question 11

Bitlocker

Answer 11

Windows encryption technology that protects your data from unauthorized access by encrypting your drive and requiring one or more factors of authentication before it will unlock it.

Question 12

TLS encryption steps

Answer 12

Handshake: The sender and receiver initiate a handshake, during which they agree on encryption parameters, exchange cryptographic keys, and authenticate each other’s identity.
Encryption: Once the handshake is complete, the actual data transmission begins. The data is encrypted using symmetric encryption keys, ensuring that only the authorized recipient possesses the means to decipher it.
Transmission: The encrypted data traverses the internet’s various networks and routers, shielding it from prying eyes and potential eavesdroppers.
Decryption: Upon reaching the intended recipient, the data is decrypted using the same symmetric key. This process ensures that only the recipient can access the original, meaningful information.

Question 13

Secure Sockets Layer (SSL)

Answer 13

serves as a secure communication protocol that establishes a safe and encrypted connection between two communicating systems. It works with the standard TCP/IP protocol, acting as a protective shield for the data being transmitted. One use case is HTTPS for web browsing.

Question 14

Homomorphic encryption:

Answer 14

Homomorphic encryption is a groundbreaking cryptographic technique that enables data to be processed and manipulated without the need for decryption. In traditional encryption methods, data must be decrypted before any computation can take place, which exposes the sensitive information to potential security risks. However, homomorphic encryption offers a revolutionary approach that allows computations to be performed directly on encrypted data, maintaining its confidentiality throughout the entire process.

Question 15

Key longevity

Answer 15

Key longevity refers to the duration over which cryptographic keys remain secure and effective in protecting sensitive data, making it imperative to periodically update keys to stay ahead of potential security threats. This is typically between one to two years.

Question 16

Key exchange

Answer 16

Key exchange is the art of securely delivering cryptographic keys from sender to receiver. We cannot encrypt data without performing a public key exchange first.

Question 17

asymmetric encryption examples

Answer 17

Examples of asymmetric algorithms include RSA, Diffie–Hellman, and Elliptic Curve Cryptography (ECC).

Question 18

Key length

Answer 18

The length of cryptographic keys is the measure of their resistance against attacks. A key’s length directly affects the complexity of deciphering encrypted data. Longer keys equate to more formidable defenses due to complexity. In a world of rapidly advancing computational power, key length becomes a crucial factor in thwarting malicious attempts.

Question 19

TPM

Answer 19

A TPM is a hardware-based security component integrated into computers and devices. It generates, stores, and manages cryptographic keys in a secure environment. A TPM ensures the integrity of system boot processes, offers hardware-based authentication, and supports encryption tasks. It’s used to enhance system security by safeguarding cryptographic keys and enabling secure device bootups

Question 20

Secure enclave

Answer 20

A secure enclave is a hardware-based security feature found in modern processors, such as Apple’s T2 chip. It provides a separate and isolated environment for secure operations, such as storing sensitive data and executing cryptographic operations. Secure enclaves are used to protect user data, biometric information, and cryptographic keys from potential software-based attacks.

Question 21

Obfuscation

Answer 21

Obfuscation involves deliberately making code, data, or information more complex and difficult to understand.

Question 22

Stenography

Answer 22

Imagine secret messages concealed within innocent-looking envelopes. Steganography operates on this principle, allowing sensitive information to be hidden within seemingly innocuous data, such as images or audio files.

Question 23

Tokenization

Answer 23

Tokenization acts as a digital locksmith, transforming sensitive data into unique tokens that hold no inherent value.

Question 24

Data masking

Answer 24

Data masking, akin to wearing a mask for anonymity, involves disguising sensitive data by replacing original values with fictitious ones

Question 25

Hashing

Answer 25

A hash value is a condensed representation of input data generated by a hash function. It appears as a seemingly random string of characters, regardless of the original data’s size.
-One way function

Question 26

Hashing algorithm’s

Answer 26

, two of the most common of which are SHA1 (160-bit) and MD5 (128-bit).

Question 27

Salting

Answer 27

In the context of cybersecurity, “salting” refers to the technique of adding random data (or a “salt”) to passwords before they are hashed and stored

Question 28

Benefits of Hashing

Answer 28

Data integrity: Hashing can help you ensure your data has not been altered in any way. If you hash a file before you download it from the internet and hash it afterward and the file remains the same, then data integrity has been maintained. If it does not, the file has been tampered with.
Password security: Hashing is a one-way function that turns passwords into unbreakable codes using complex rules. Hackers might try to crack the code, but the intricate design of hashing makes it incredibly difficult, like getting lost in a maze without being able to find the way out. This clever encryption keeps passwords safe, creating a world where the real password stays hidden, wrapped in a cloak of complexity

Question 29

Digital signatures

Answer 29

digital signature is an electronic equivalent of a handwritten signature in that it is uniquely tied to the signer and the content being signed

Question 30

Key stretching

Answer 30

Key stretching is a cryptographic technique designed to transform a password into a longer, more complex key. The objective is to slow down the process of deriving the original password, making it computationally infeasible for attackers to break into a system by brute force or dictionary attacks.

Question 31

Key stretching methods

Answer 31

Password-Based Key Derivation Function 2 (PBKDF2): This widely used method iterates through a hash function multiple times, effectively slowing down the key derivation process
Bcrypt: Specifically designed to address password hashing, Bcrypt incorporates salt and multiple rounds of hashing to amplify the time required for each iteration

Question 32

Blockchain

Answer 32

This digital ledger thrives on data batches called blocks that are distributed across countless computers, a strategy that ensures security through decentralization.
Blockchain can record financial, medical, and property transactions. Each block holds data and hashes, forming a chain within this distributed public ledger. To add a block, a computer cracks a puzzle, signaling readiness to the network, which is a process known as proof of work

Question 33

Public ledger

Answer 33

The open public ledger is a foundational element of blockchain systems. It’s essentially a digital record of all transactions that have ever occurred within the blockchain network.

Question 34

consensus mechanism

Answer 34

To maintain the accuracy and integrity of the ledger, consensus mechanisms such as proof of work or proof of stake are employed. These mechanisms ensure that the network participants agree on the legitimacy of transactions before they are added to the ledger.

Question 35

Certificate Authorities (CAs)

Answer 35

In today’s digital era, trust is the bedrock of secure online interactions. CAs take center stage as guardians of authenticity. They validate digital identities using cryptographic keys, ensuring the websites we visit and the data we share are genuine. At the core of this process lies the root key, which is used to sign certificates.

Question 36

Online CA

Answer 36

Online CAs swiftly verify keys in real time, matching the pace of the digital world

Question 37

Offline CA

Answer 37

Offline CAs prioritize security by working in isolated environments, away from online threats

Question 38

CRLs

Answer 38

These lists contain the serial numbers of certificates that have been revoked, compromised, or expired.

Question 39

OSCP

Answer 39

The OCSP addresses some of the shortcomings of CRLs, one of which is its speed. OCSP is comparatively much faster. While CRLs could spend time downloading a potentially large list, OCSP enables real-time certificate validation by allowing systems to query the CA’s server directly

Question 40

Self signed Certificates

Answer 40

A self-signed certificate is a digital certificate that is generated and signed by the same entity it is issued to. Unlike certificates issued by trusted third-party CAs, self-signed certificates are not verified by an external authority. This means that the entity creating the certificate is attesting to its own identity without any external validation. Self-signed certificates can be placed on multiple internal servers.

Question 41

Digital Certificate

Answer 41

A digital certificate is a file or electronic password that proves the authenticity of a device, server, or user through the use of cryptography and the public key infrastructure (PKI). Digital certificate authentication helps organizations ensure that only trusted devices and users can connect to their networks.

Question 42

Certificate Signing Request (CSR) generation

Answer 42

When an individual or organization seeks to obtain a digital certificate from a trusted CA, they generate a CSR. This file encapsulates essential details such as the entity’s name, domain, and a public key.

Question 43

Wildcard

Answer 43

For a wildcard certificate for a domain called securityplus.training, the wildcard certification would be *.securityplus.training on multiple public-facing web servers. A single wildcard certificate can be installed on multiple servers within the same domain, thereby reducing the cost of purchasing multiple certificates.

Question 45

SPF

Answer 45

SPF is another email authentication mechanism. It checks whether the sender’s IP address is authorized to send mail on behalf of a particular domain

Question 46

PGP

Answer 46

With PGP, emails are encrypted end to end, meaning only the intended recipient can unlock and decipher the content, even if it is intercepted during transit.

Question 47

S/MIME

Answer 47

This uses Public Key Infrastructure (PKI) to either encrypt emails or digitally sign emails to prove the integrity of the message

Question 48

Uniterruptible Power Supply

Answer 48

Uninterruptible Power Supply (UPS): A UPS is an electrical device used to provide backup power to connected equipment or devices during power outages or fluctuations in the electrical supply. It is designed to keep the system going only for a few minutes to allow the server team to close the servers

Question 49

Power Distribution Units (PDUs

Answer 49

PDUs serve as a frontline defense, effectively mitigating power spikes, blackouts, and brownouts to safeguard your critical equipment and data. Their primary function is to maintain a balanced distribution of power, guard against the perils of overload and overheating, and thereby enhance the safety and longevity of connected equipment. Additionally, PDUs can be used to remotely monitor power consumption, providing valuable insights into energy usage patterns.

Question 50

What type of device could suffer an ARP attack?

Answer 50

A switch (because it works with MAC addresses

Question 51

What kind of records are created by DNS poisoning, and how can we prevent this attack?

Answer 51

DNS poisoning creates RRSIG records and can be prevented using DNSSEC

Question 52

Buffer Overflow

Answer 52

Too much data in a field, overwrite adjacent memory

Question 53

SQL injectivie

Answer 53

Database attack look for SELECT* or 1=1

Question 54

SWITCH

Answer 54

A switch is an internal network device that links all machines in the local area network (LAN), see the following figure), maintaining a table known as Content Addressable Memory (CAM) with MAC addresses to identify connected hosts.

Question 55

Routers

Answer 55

A router is a device used to connect two different networks when setting up a host machine, known as the default gateway. It is used by your company to give you access to other networks—for example, the internet. It has a routing table built into it, so it knows which route can be used to deliver network packets. The router is the IP equivalent of a post office sending letters around the world, but instead of letters, IP packets are transporte

Question 56

Where is account information stored in Linux machines

Answer 56

/etc/passwd, which contains basic information about user accounts, and /etc/shadow, which contains the password information. Only the administrator

Question 57

NT Lan Manager (NTLM

Answer 57

s a legacy authentication protocol and a predecessor to Kerberos that stores passwords using the MD4 hash (which is very easy to crack). It was consequently susceptible to pass-the-hash attacks

Question 58

Server Message Block Port

Answer 58

Server message block port 445

Modern file and print services

Question 59

FIPS US Government Standards/Guidelines

Answer 59

: These are a set of standards and guidelines developed by NIST for the U.S. federal government. They serve as the foundation upon which secure and reliable computer systems are built

Question 60

Bridge

Answer 60

A bridge is a network device that connects multiple subnetworks to create a single network

Question 61

DDNS

Answer 61

Dynamic DNS (DDNS) is an extension of DNS that automatically updates IP addresses associated with domain names in real time. It expands the capabilities of DNS. With DDNS, organizations and individuals can maintain connectivity and accessibility even in dynamic IP address environments.

Question 62

active-passive configuration Loadbalancer

Answer 62

active-passive configuration, the server load balancer recognizes a failed node and redirects traffic to the next available node.

Question 63

active-active configuration Loadbalancer

Answer 63

Active-active clusters: Client machines connect to a load balancer that distributes their workloads across multiple active servers. Active-passive clusters: Client machines connect to the main server, which handles the full workload, while a backup server remains on standby, only activating in the event of a failure.